Over the past century there have been many legislative attempts at defining the best practices for food safety, food security, and finally food defense.

The early 1900’s saw the introduction of the Federal Meat Inspection Act, followed by the FD&C Act, and a myriad of CFR’s including Good Manufacturing Practices. In 2002 the Homeland Security Act was introduced, and more recently FSMA’s Food Defense Rule (officially named the Final Rule for Mitigation Strategies to Protect Food Against Intentional Adulteration).

It is safe to say that these earlier legislative efforts lacked the teeth required to make them much more than just suggested best practices. However, now the latest iteration comes on the heels of new muscle being given to the FDA which provides it with improved enforcement capabilities.

The future of food defense

For the first time food companies are now required to create a solid food defense plan, as opposed to simply making concerted efforts to satisfy an auditor’s assessment of their preparedness. Luckily for us FDA took a familiar approach to the requirements within this rule and made it fundamentally similar to HACCP.

The noticeable difference between the two is that where HACCP’s focus was mainly on accidental or environmental contamination, the new Food Defense Rule is aimed at preventing intentional adulteration resulting from specific acts of terrorism targeting the food supply.

The Food Defense Rule can essentially be broken down into 4 distinct requirements.

Vulnerability Assessment

A robust VA will consist of the proper identification of vulnerabilities at the process steps for each food type manufactured, processed, packed, or held at a food facility. At each point (or step) in the facility’s process it is essential to evaluate:

The severity and scale of the potential impact on public health (think: probability and severity).

Consider the volume of the product

The number of servings

Potential agents of concern

The infectious/lethal doses of each

The possible number of illnesses and death

The degree of physical access to the product.

Presence of physical barriers

The ability to successfully contaminate the product.

Mitigation Strategies

Mitigation strategies should be identifiable in your plan and implemented at each actionable process step. This is to provide the necessary assurances that vulnerabilities will be effectively minimized or at least prevented.

During the Proposed Rule comment period, the FDA made the distinction between Broad and Focused mitigation strategies, however this distinction has been removed from the final rule. Essentially, “broad” mitigation strategies might not be considered an effective means of protecting specific points from being attacked by an internal agent, however the final rule recognizes that a mitigation strategy, when deliberately applied to protect the step from an insider attack, would sufficiently minimize the risk of intentional adulteration.

Mitigation Strategy Management Components

Facilities must establish actions which are appropriate to their operation and the product(s) they produce. Steps must be taken to ensure the proper implementation of each mitigation strategy.

Monitoring: Establish and Implement procedures and methodology which incorporate the performance frequency

Corrective Actions: The reaction taken if mitigation strategies are not implemented properly

Verification: The confirmation exercises which guarantee that monitoring is being conducted and the proper choices regarding corrective actions are being made

Training and Recordkeeping

Food production facilities are required to guarantee that responsible individuals assigned to the defined vulnerable areas have received proper and appropriate training. Records must be maintained for all food defense monitoring, corrective actions, and verification activities.

Facilities must also ensure that the personnel assigned to the vulnerable areas receive appropriate training. This means that facilities must maintain records for food defense monitoring, corrective actions, and verification activities.

When do I need to comply?

The FDA fully understands that this is the first time that an actual food defense plan is being required of food manufacturers so they are delaying the final compliance timeline allowing companies to comply with the other parts of FSMA first. According to the FDA compliance dates are the following:

Very Small Businesses—a business (including any subsidiaries and affiliates) averaging less than $10,000,000 per year (adjusted for inflation), during the three-year period preceding the applicable calendar year in sales of human food plus the market value of human food manufactured, processed, packed, or held without sale (e.g., held for a fee). These businesses would have to comply with modified requirements within five years after the publication of the final rule.

Small Businesses—a business employing fewer than 500 persons would have to comply four years after the publication of the final rule.

Other Businesses—a business that is not small or very small and does not qualify for exemptions would have to comply three years after the publication of the final rule.

The FDA has provided quite a bit of assistance which is freely available throughout their website, and they even have published an online searchable Mitigation Strategies Database which can be helpful if you choose not to utilize expert assistance to help you.

However as is the case with the entire Food Safety Modernization Act the requirements are so important that the best practice here would be to utilize the online database in conjunction with expert assistance.

Companies today have the benefit of cloud software which can be their greatest asset in their toolbelt

In addition to FDA assistance and even expert assistance, companies today have the benefit of cloud software which can be their greatest asset in their toolbelt as they prepare to put their programs together in line with the requirements.

FSMA has given the FDA the muscle necessary to require the new provisions and also the teeth required to enforce them!

Right now, time is on your side and you have some breathing room until the compliance inspections for Food Defense begin. That time is ticking however, and the cost of noncompliance will be great.

I’m reminded of the Andy Dufresne quote from The Shawshank Redemption: “I guess it comes down to a simple choice, really. Get busy living or get busy dying.